Проблема в том, что Radius не хочет работать с PostgreSQL. Т.е. если аккаунт завести в users, radtest выполняется без проблем, как только тестирую аккаунт из БД - reject. Есть подозрение, что radius-сервер не грузит драйвер для PostgreSQL, но как исправить это - я не пойму. Пожалуйста, помогите найти решение. Вот конфиг и логи:raduisd -Xx:
Sat Jul 18 11:05:32 2009 : Info: FreeRADIUS Version 2.1.6, for host i386-portbld-freebsd7.0, built on Jul 18 2009 at 09:39:08
Sat Jul 18 11:05:32 2009 : Info: Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
Sat Jul 18 11:05:32 2009 : Info: There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
Sat Jul 18 11:05:32 2009 : Info: PARTICULAR PURPOSE.
Sat Jul 18 11:05:32 2009 : Info: You may redistribute copies of FreeRADIUS under the terms of the
Sat Jul 18 11:05:32 2009 : Info: GNU General Public License v2.
Sat Jul 18 11:05:32 2009 : Info: Starting - reading configuration files ...
Sat Jul 18 11:05:32 2009 : Debug: including configuration file /usr/local/etc/raddb/radiusd.conf
Sat Jul 18 11:05:32 2009 : Debug: including configuration file /usr/local/etc/raddb/proxy.conf
Sat Jul 18 11:05:32 2009 : Debug: including configuration file /usr/local/etc/raddb/clients.conf
Sat Jul 18 11:05:32 2009 : Debug: including files in directory /usr/local/etc/raddb/modules/
Sat Jul 18 11:05:32 2009 : Debug: including configuration file /usr/local/etc/raddb/modules/wimax
Sat Jul 18 11:05:32 2009 : Debug: including configuration file /usr/local/etc/raddb/modules/always
Sat Jul 18 11:05:32 2009 : Debug: including configuration file /usr/local/etc/raddb/modules/attr_filter
Sat Jul 18 11:05:32 2009 : Debug: including configuration file /usr/local/etc/raddb/modules/attr_rewrite
Sat Jul 18 11:05:32 2009 : Debug: including configuration file /usr/local/etc/raddb/modules/chap
Sat Jul 18 11:05:32 2009 : Debug: including configuration file /usr/local/etc/raddb/modules/checkval
Sat Jul 18 11:05:32 2009 : Debug: including configuration file /usr/local/etc/raddb/modules/counter
Sat Jul 18 11:05:32 2009 : Debug: including configuration file /usr/local/etc/raddb/modules/detail
Sat Jul 18 11:05:32 2009 : Debug: including configuration file /usr/local/etc/raddb/modules/detail.example.com
Sat Jul 18 11:05:32 2009 : Debug: including configuration file /usr/local/etc/raddb/modules/detail.log
Sat Jul 18 11:05:32 2009 : Debug: including configuration file /usr/local/etc/raddb/modules/digest
Sat Jul 18 11:05:32 2009 : Debug: including configuration file /usr/local/etc/raddb/modules/echo
Sat Jul 18 11:05:32 2009 : Debug: including configuration file /usr/local/etc/raddb/modules/etc_group
Sat Jul 18 11:05:32 2009 : Debug: including configuration file /usr/local/etc/raddb/modules/exec
Sat Jul 18 11:05:32 2009 : Debug: including configuration file /usr/local/etc/raddb/modules/expiration
Sat Jul 18 11:05:32 2009 : Debug: including configuration file /usr/local/etc/raddb/modules/expr
Sat Jul 18 11:05:32 2009 : Debug: including configuration file /usr/local/etc/raddb/modules/files
Sat Jul 18 11:05:32 2009 : Debug: including configuration file /usr/local/etc/raddb/modules/inner-eap
Sat Jul 18 11:05:32 2009 : Debug: including configuration file /usr/local/etc/raddb/modules/ippool
Sat Jul 18 11:05:32 2009 : Debug: including configuration file /usr/local/etc/raddb/modules/krb5
Sat Jul 18 11:05:32 2009 : Debug: including configuration file /usr/local/etc/raddb/modules/ldap
Sat Jul 18 11:05:32 2009 : Debug: including configuration file /usr/local/etc/raddb/modules/linelog
Sat Jul 18 11:05:32 2009 : Debug: including configuration file /usr/local/etc/raddb/modules/logintime
Sat Jul 18 11:05:32 2009 : Debug: including configuration file /usr/local/etc/raddb/modules/mac2ip
Sat Jul 18 11:05:32 2009 : Debug: including configuration file /usr/local/etc/raddb/modules/mac2vlan
Sat Jul 18 11:05:32 2009 : Debug: including configuration file /usr/local/etc/raddb/modules/mschap
Sat Jul 18 11:05:32 2009 : Debug: including configuration file /usr/local/etc/raddb/modules/otp
Sat Jul 18 11:05:32 2009 : Debug: including configuration file /usr/local/etc/raddb/modules/pam
Sat Jul 18 11:05:32 2009 : Debug: including configuration file /usr/local/etc/raddb/modules/pap
Sat Jul 18 11:05:32 2009 : Debug: including configuration file /usr/local/etc/raddb/modules/passwd
Sat Jul 18 11:05:32 2009 : Debug: including configuration file /usr/local/etc/raddb/modules/perl
Sat Jul 18 11:05:32 2009 : Debug: including configuration file /usr/local/etc/raddb/modules/policy
Sat Jul 18 11:05:32 2009 : Debug: including configuration file /usr/local/etc/raddb/modules/preprocess
Sat Jul 18 11:05:32 2009 : Debug: including configuration file /usr/local/etc/raddb/modules/radutmp
Sat Jul 18 11:05:32 2009 : Debug: including configuration file /usr/local/etc/raddb/modules/realm
Sat Jul 18 11:05:32 2009 : Debug: including configuration file /usr/local/etc/raddb/modules/smbpasswd
Sat Jul 18 11:05:32 2009 : Debug: including configuration file /usr/local/etc/raddb/modules/smsotp
Sat Jul 18 11:05:32 2009 : Debug: including configuration file /usr/local/etc/raddb/modules/sql_log
Sat Jul 18 11:05:32 2009 : Debug: including configuration file /usr/local/etc/raddb/modules/sqlcounter_expire_on_login
Sat Jul 18 11:05:32 2009 : Debug: including configuration file /usr/local/etc/raddb/modules/sradutmp
Sat Jul 18 11:05:32 2009 : Debug: including configuration file /usr/local/etc/raddb/modules/unix
Sat Jul 18 11:05:32 2009 : Debug: including configuration file /usr/local/etc/raddb/modules/acct_unique
Sat Jul 18 11:05:32 2009 : Debug: including configuration file /usr/local/etc/raddb/eap.conf
Sat Jul 18 11:05:32 2009 : Debug: including configuration file /usr/local/etc/raddb/sql.conf
Sat Jul 18 11:05:32 2009 : Debug: including configuration file /usr/local/etc/raddb/sql/postgresql/dialup.conf
Sat Jul 18 11:05:32 2009 : Debug: including configuration file /usr/local/etc/raddb/policy.conf
Sat Jul 18 11:05:32 2009 : Debug: including files in directory /usr/local/etc/raddb/sites-enabled/
Sat Jul 18 11:05:32 2009 : Debug: including configuration file /usr/local/etc/raddb/sites-enabled/default
Sat Jul 18 11:05:32 2009 : Debug: including configuration file /usr/local/etc/raddb/sites-enabled/inner-tunnel
Sat Jul 18 11:05:32 2009 : Debug: including configuration file /usr/local/etc/raddb/sites-enabled/control-socket
Sat Jul 18 11:05:32 2009 : Debug: group = freeradius
Sat Jul 18 11:05:32 2009 : Debug: user = freeradius
Sat Jul 18 11:05:32 2009 : Debug: including dictionary file /usr/local/etc/raddb/dictionary
Sat Jul 18 11:05:32 2009 : Debug: main {
Sat Jul 18 11:05:32 2009 : Debug: prefix = "/usr/local/"
Sat Jul 18 11:05:32 2009 : Debug: localstatedir = "/var"
Sat Jul 18 11:05:32 2009 : Debug: logdir = "/var/log"
Sat Jul 18 11:05:32 2009 : Debug: libdir = "/usr/local/lib/freeradius-2.1.6"
Sat Jul 18 11:05:32 2009 : Debug: radacctdir = "/var/log/radacct"
Sat Jul 18 11:05:32 2009 : Debug: hostname_lookups = no
Sat Jul 18 11:05:32 2009 : Debug: max_request_time = 30
Sat Jul 18 11:05:32 2009 : Debug: cleanup_delay = 5
Sat Jul 18 11:05:32 2009 : Debug: max_requests = 1024
Sat Jul 18 11:05:32 2009 : Debug: allow_core_dumps = no
Sat Jul 18 11:05:32 2009 : Debug: pidfile = "/var/run/radiusd/radiusd.pid"
Sat Jul 18 11:05:32 2009 : Debug: checkrad = "/usr/local/sbin/checkrad"
Sat Jul 18 11:05:32 2009 : Debug: debug_level = 0
Sat Jul 18 11:05:32 2009 : Debug: proxy_requests = yes
Sat Jul 18 11:05:32 2009 : Debug: log {
Sat Jul 18 11:05:32 2009 : Debug: stripped_names = no
Sat Jul 18 11:05:32 2009 : Debug: auth = no
Sat Jul 18 11:05:32 2009 : Debug: auth_badpass = no
Sat Jul 18 11:05:32 2009 : Debug: auth_goodpass = no
Sat Jul 18 11:05:32 2009 : Debug: }
Sat Jul 18 11:05:32 2009 : Debug: security {
Sat Jul 18 11:05:32 2009 : Debug: max_attributes = 200
Sat Jul 18 11:05:32 2009 : Debug: reject_delay = 1
Sat Jul 18 11:05:32 2009 : Debug: status_server = yes
Sat Jul 18 11:05:32 2009 : Debug: }
Sat Jul 18 11:05:32 2009 : Debug: }
Sat Jul 18 11:05:32 2009 : Debug: radiusd: #### Loading Realms and Home Servers ####
Sat Jul 18 11:05:32 2009 : Debug: proxy server {
Sat Jul 18 11:05:32 2009 : Debug: retry_delay = 5
Sat Jul 18 11:05:32 2009 : Debug: retry_count = 3
Sat Jul 18 11:05:32 2009 : Debug: default_fallback = no
Sat Jul 18 11:05:32 2009 : Debug: dead_time = 120
Sat Jul 18 11:05:32 2009 : Debug: wake_all_if_all_dead = no
Sat Jul 18 11:05:32 2009 : Debug: }
Sat Jul 18 11:05:32 2009 : Debug: home_server localhost {
Sat Jul 18 11:05:32 2009 : Debug: ipaddr = 127.0.0.1
Sat Jul 18 11:05:32 2009 : Debug: port = 1812
Sat Jul 18 11:05:32 2009 : Debug: type = "auth"
Sat Jul 18 11:05:32 2009 : Debug: secret = "testing123"
Sat Jul 18 11:05:32 2009 : Debug: response_window = 20
Sat Jul 18 11:05:32 2009 : Debug: max_outstanding = 65536
Sat Jul 18 11:05:32 2009 : Debug: require_message_authenticator = no
Sat Jul 18 11:05:32 2009 : Debug: zombie_period = 40
Sat Jul 18 11:05:32 2009 : Debug: status_check = "status-server"
Sat Jul 18 11:05:32 2009 : Debug: ping_interval = 30
Sat Jul 18 11:05:32 2009 : Debug: check_interval = 30
Sat Jul 18 11:05:32 2009 : Debug: num_answers_to_alive = 3
Sat Jul 18 11:05:32 2009 : Debug: num_pings_to_alive = 3
Sat Jul 18 11:05:32 2009 : Debug: revive_interval = 120
Sat Jul 18 11:05:32 2009 : Debug: status_check_timeout = 4
Sat Jul 18 11:05:32 2009 : Debug: irt = 2
Sat Jul 18 11:05:32 2009 : Debug: mrt = 16
Sat Jul 18 11:05:32 2009 : Debug: mrc = 5
Sat Jul 18 11:05:32 2009 : Debug: mrd = 30
Sat Jul 18 11:05:32 2009 : Debug: }
Sat Jul 18 11:05:32 2009 : Debug: home_server_pool my_auth_failover {
Sat Jul 18 11:05:32 2009 : Debug: type = fail-over
Sat Jul 18 11:05:32 2009 : Debug: home_server = localhost
Sat Jul 18 11:05:32 2009 : Debug: }
Sat Jul 18 11:05:32 2009 : Debug: realm example.com {
Sat Jul 18 11:05:32 2009 : Debug: auth_pool = my_auth_failover
Sat Jul 18 11:05:32 2009 : Debug: }
Sat Jul 18 11:05:32 2009 : Debug: realm LOCAL {
Sat Jul 18 11:05:32 2009 : Debug: }
Sat Jul 18 11:05:32 2009 : Debug: radiusd: #### Loading Clients ####
Sat Jul 18 11:05:32 2009 : Debug: client localhost {
Sat Jul 18 11:05:32 2009 : Debug: ipaddr = 127.0.0.1
Sat Jul 18 11:05:32 2009 : Debug: require_message_authenticator = no
Sat Jul 18 11:05:32 2009 : Debug: secret = "test"
Sat Jul 18 11:05:32 2009 : Debug: nastype = "other"
Sat Jul 18 11:05:32 2009 : Debug: }
Sat Jul 18 11:05:32 2009 : Debug: radiusd: #### Instantiating modules ####
Sat Jul 18 11:05:32 2009 : Debug: instantiate {
Sat Jul 18 11:05:32 2009 : Debug: (Loaded rlm_expr, checking if it's valid)
Sat Jul 18 11:05:32 2009 : Debug: Module: Linked to module rlm_expr
Sat Jul 18 11:05:32 2009 : Debug: Module: Instantiating expr
Sat Jul 18 11:05:32 2009 : Debug: (Loaded rlm_expiration, checking if it's valid)
Sat Jul 18 11:05:32 2009 : Debug: Module: Linked to module rlm_expiration
Sat Jul 18 11:05:32 2009 : Debug: Module: Instantiating expiration
Sat Jul 18 11:05:32 2009 : Debug: expiration {
Sat Jul 18 11:05:32 2009 : Debug: reply-message = "Password Has Expired "
Sat Jul 18 11:05:32 2009 : Debug: }
Sat Jul 18 11:05:32 2009 : Debug: (Loaded rlm_logintime, checking if it's valid)
Sat Jul 18 11:05:32 2009 : Debug: Module: Linked to module rlm_logintime
Sat Jul 18 11:05:32 2009 : Debug: Module: Instantiating logintime
Sat Jul 18 11:05:32 2009 : Debug: logintime {
Sat Jul 18 11:05:32 2009 : Debug: reply-message = "You are calling outside your allowed timespan "
Sat Jul 18 11:05:32 2009 : Debug: minimum-timeout = 60
Sat Jul 18 11:05:32 2009 : Debug: }
Sat Jul 18 11:05:32 2009 : Debug: }
Sat Jul 18 11:05:32 2009 : Debug: radiusd: #### Loading Virtual Servers ####
Sat Jul 18 11:05:32 2009 : Debug: server inner-tunnel {
Sat Jul 18 11:05:32 2009 : Debug: modules {
Sat Jul 18 11:05:32 2009 : Debug: Module: Checking authenticate {...} for more modules to load
Sat Jul 18 11:05:32 2009 : Debug: (Loaded rlm_pap, checking if it's valid)
Sat Jul 18 11:05:32 2009 : Debug: Module: Linked to module rlm_pap
Sat Jul 18 11:05:32 2009 : Debug: Module: Instantiating pap
Sat Jul 18 11:05:32 2009 : Debug: pap {
Sat Jul 18 11:05:32 2009 : Debug: encryption_scheme = "auto"
Sat Jul 18 11:05:32 2009 : Debug: auto_header = no
Sat Jul 18 11:05:32 2009 : Debug: }
Sat Jul 18 11:05:32 2009 : Debug: (Loaded rlm_chap, checking if it's valid)
Sat Jul 18 11:05:32 2009 : Debug: Module: Linked to module rlm_chap
Sat Jul 18 11:05:32 2009 : Debug: Module: Instantiating chap
Sat Jul 18 11:05:32 2009 : Debug: (Loaded rlm_mschap, checking if it's valid)
Sat Jul 18 11:05:32 2009 : Debug: Module: Linked to module rlm_mschap
Sat Jul 18 11:05:32 2009 : Debug: Module: Instantiating mschap
Sat Jul 18 11:05:32 2009 : Debug: mschap {
Sat Jul 18 11:05:32 2009 : Debug: use_mppe = yes
Sat Jul 18 11:05:32 2009 : Debug: require_encryption = no
Sat Jul 18 11:05:32 2009 : Debug: require_strong = no
Sat Jul 18 11:05:32 2009 : Debug: with_ntdomain_hack = no
Sat Jul 18 11:05:32 2009 : Debug: }
Sat Jul 18 11:05:32 2009 : Debug: (Loaded rlm_unix, checking if it's valid)
Sat Jul 18 11:05:32 2009 : Debug: Module: Linked to module rlm_unix
Sat Jul 18 11:05:32 2009 : Debug: Module: Instantiating unix
Sat Jul 18 11:05:32 2009 : Debug: unix {
Sat Jul 18 11:05:32 2009 : Debug: radwtmp = "/var/log/radwtmp"
Sat Jul 18 11:05:32 2009 : Debug: }
Sat Jul 18 11:05:32 2009 : Debug: (Loaded rlm_eap, checking if it's valid)
Sat Jul 18 11:05:32 2009 : Debug: Module: Linked to module rlm_eap
Sat Jul 18 11:05:32 2009 : Debug: Module: Instantiating eap
Sat Jul 18 11:05:32 2009 : Debug: eap {
Sat Jul 18 11:05:32 2009 : Debug: default_eap_type = "md5"
Sat Jul 18 11:05:32 2009 : Debug: timer_expire = 60
Sat Jul 18 11:05:32 2009 : Debug: ignore_unknown_eap_types = no
Sat Jul 18 11:05:32 2009 : Debug: cisco_accounting_username_bug = no
Sat Jul 18 11:05:32 2009 : Debug: max_sessions = 2048
Sat Jul 18 11:05:32 2009 : Debug: }
Sat Jul 18 11:05:32 2009 : Debug: Module: Linked to sub-module rlm_eap_md5
Sat Jul 18 11:05:32 2009 : Debug: Module: Instantiating eap-md5
Sat Jul 18 11:05:32 2009 : Debug: Module: Linked to sub-module rlm_eap_leap
Sat Jul 18 11:05:32 2009 : Debug: Module: Instantiating eap-leap
Sat Jul 18 11:05:32 2009 : Debug: Module: Linked to sub-module rlm_eap_gtc
Sat Jul 18 11:05:32 2009 : Debug: Module: Instantiating eap-gtc
Sat Jul 18 11:05:32 2009 : Debug: gtc {
Sat Jul 18 11:05:32 2009 : Debug: challenge = "Password: "
Sat Jul 18 11:05:32 2009 : Debug: auth_type = "PAP"
Sat Jul 18 11:05:32 2009 : Debug: }
Sat Jul 18 11:05:32 2009 : Debug: Module: Linked to sub-module rlm_eap_tls
Sat Jul 18 11:05:32 2009 : Debug: Module: Instantiating eap-tls
Sat Jul 18 11:05:32 2009 : Debug: tls {
Sat Jul 18 11:05:32 2009 : Debug: rsa_key_exchange = no
Sat Jul 18 11:05:32 2009 : Debug: dh_key_exchange = yes
Sat Jul 18 11:05:32 2009 : Debug: rsa_key_length = 512
Sat Jul 18 11:05:32 2009 : Debug: dh_key_length = 512
Sat Jul 18 11:05:32 2009 : Debug: verify_depth = 0
Sat Jul 18 11:05:32 2009 : Debug: pem_file_type = yes
Sat Jul 18 11:05:32 2009 : Debug: private_key_file = "/usr/local/etc/raddb/certs/server.pem"
Sat Jul 18 11:05:32 2009 : Debug: certificate_file = "/usr/local/etc/raddb/certs/server.pem"
Sat Jul 18 11:05:32 2009 : Debug: CA_file = "/usr/local/etc/raddb/certs/ca.pem"
Sat Jul 18 11:05:32 2009 : Debug: private_key_password = "whatever"
Sat Jul 18 11:05:32 2009 : Debug: dh_file = "/usr/local/etc/raddb/certs/dh"
Sat Jul 18 11:05:32 2009 : Debug: random_file = "/usr/local/etc/raddb/certs/random"
Sat Jul 18 11:05:32 2009 : Debug: fragment_size = 1024
Sat Jul 18 11:05:32 2009 : Debug: include_length = yes
Sat Jul 18 11:05:32 2009 : Debug: check_crl = no
Sat Jul 18 11:05:32 2009 : Debug: cipher_list = "DEFAULT"
Sat Jul 18 11:05:32 2009 : Debug: make_cert_command = "/usr/local/etc/raddb/certs/bootstrap"
Sat Jul 18 11:05:32 2009 : Debug: cache {
Sat Jul 18 11:05:32 2009 : Debug: enable = no
Sat Jul 18 11:05:32 2009 : Debug: lifetime = 24
Sat Jul 18 11:05:32 2009 : Debug: max_entries = 255
Sat Jul 18 11:05:32 2009 : Debug: }
Sat Jul 18 11:05:32 2009 : Debug: }
Sat Jul 18 11:05:32 2009 : Debug: Module: Linked to sub-module rlm_eap_ttls
Sat Jul 18 11:05:32 2009 : Debug: Module: Instantiating eap-ttls
Sat Jul 18 11:05:32 2009 : Debug: ttls {
Sat Jul 18 11:05:32 2009 : Debug: default_eap_type = "md5"
Sat Jul 18 11:05:32 2009 : Debug: copy_request_to_tunnel = no
Sat Jul 18 11:05:32 2009 : Debug: use_tunneled_reply = no
Sat Jul 18 11:05:32 2009 : Debug: virtual_server = "inner-tunnel"
Sat Jul 18 11:05:32 2009 : Debug: include_length = yes
Sat Jul 18 11:05:32 2009 : Debug: }
Sat Jul 18 11:05:32 2009 : Debug: Module: Linked to sub-module rlm_eap_peap
Sat Jul 18 11:05:32 2009 : Debug: Module: Instantiating eap-peap
Sat Jul 18 11:05:32 2009 : Debug: peap {
Sat Jul 18 11:05:32 2009 : Debug: default_eap_type = "mschapv2"
Sat Jul 18 11:05:32 2009 : Debug: copy_request_to_tunnel = no
Sat Jul 18 11:05:32 2009 : Debug: use_tunneled_reply = no
Sat Jul 18 11:05:32 2009 : Debug: proxy_tunneled_request_as_eap = yes
Sat Jul 18 11:05:32 2009 : Debug: virtual_server = "inner-tunnel"
Sat Jul 18 11:05:32 2009 : Debug: }
Sat Jul 18 11:05:32 2009 : Debug: Module: Linked to sub-module rlm_eap_mschapv2
Sat Jul 18 11:05:32 2009 : Debug: Module: Instantiating eap-mschapv2
Sat Jul 18 11:05:32 2009 : Debug: mschapv2 {
Sat Jul 18 11:05:32 2009 : Debug: with_ntdomain_hack = no
Sat Jul 18 11:05:32 2009 : Debug: }
Sat Jul 18 11:05:32 2009 : Debug: Module: Checking authorize {...} for more modules to load
Sat Jul 18 11:05:32 2009 : Debug: (Loaded rlm_realm, checking if it's valid)
Sat Jul 18 11:05:32 2009 : Debug: Module: Linked to module rlm_realm
Sat Jul 18 11:05:32 2009 : Debug: Module: Instantiating suffix
Sat Jul 18 11:05:32 2009 : Debug: realm suffix {
Sat Jul 18 11:05:32 2009 : Debug: format = "suffix"
Sat Jul 18 11:05:32 2009 : Debug: delimiter = "@"
Sat Jul 18 11:05:32 2009 : Debug: ignore_default = no
Sat Jul 18 11:05:32 2009 : Debug: ignore_null = no
Sat Jul 18 11:05:32 2009 : Debug: }
Sat Jul 18 11:05:32 2009 : Debug: (Loaded rlm_files, checking if it's valid)
Sat Jul 18 11:05:32 2009 : Debug: Module: Linked to module rlm_files
Sat Jul 18 11:05:32 2009 : Debug: Module: Instantiating files
Sat Jul 18 11:05:32 2009 : Debug: files {
Sat Jul 18 11:05:32 2009 : Debug: usersfile = "/usr/local/etc/raddb/users"
Sat Jul 18 11:05:32 2009 : Debug: acctusersfile = "/usr/local/etc/raddb/acct_users"
Sat Jul 18 11:05:32 2009 : Debug: preproxy_usersfile = "/usr/local/etc/raddb/preproxy_users"
Sat Jul 18 11:05:32 2009 : Debug: compat = "no"
Sat Jul 18 11:05:32 2009 : Debug: }
Sat Jul 18 11:05:32 2009 : Debug: Module: Checking session {...} for more modules to load
Sat Jul 18 11:05:32 2009 : Debug: (Loaded rlm_radutmp, checking if it's valid)
Sat Jul 18 11:05:32 2009 : Debug: Module: Linked to module rlm_radutmp
Sat Jul 18 11:05:32 2009 : Debug: Module: Instantiating radutmp
Sat Jul 18 11:05:32 2009 : Debug: radutmp {
Sat Jul 18 11:05:32 2009 : Debug: filename = "/var/log/radutmp"
Sat Jul 18 11:05:32 2009 : Debug: username = "%{User-Name}"
Sat Jul 18 11:05:32 2009 : Debug: case_sensitive = yes
Sat Jul 18 11:05:32 2009 : Debug: check_with_nas = yes
Sat Jul 18 11:05:32 2009 : Debug: perm = 384
Sat Jul 18 11:05:32 2009 : Debug: callerid = yes
Sat Jul 18 11:05:32 2009 : Debug: }
Sat Jul 18 11:05:32 2009 : Debug: Module: Checking post-proxy {...} for more modules to load
Sat Jul 18 11:05:32 2009 : Debug: Module: Checking post-auth {...} for more modules to load
Sat Jul 18 11:05:32 2009 : Debug: (Loaded rlm_attr_filter, checking if it's valid)
Sat Jul 18 11:05:32 2009 : Debug: Module: Linked to module rlm_attr_filter
Sat Jul 18 11:05:32 2009 : Debug: Module: Instantiating attr_filter.access_reject
Sat Jul 18 11:05:32 2009 : Debug: attr_filter attr_filter.access_reject {
Sat Jul 18 11:05:32 2009 : Debug: attrsfile = "/usr/local/etc/raddb/attrs.access_reject"
Sat Jul 18 11:05:32 2009 : Debug: key = "%{User-Name}"
Sat Jul 18 11:05:32 2009 : Debug: }
Sat Jul 18 11:05:32 2009 : Debug: } # modules
Sat Jul 18 11:05:32 2009 : Debug: } # server
Sat Jul 18 11:05:32 2009 : Debug: server {
Sat Jul 18 11:05:32 2009 : Debug: modules {
Sat Jul 18 11:05:32 2009 : Debug: Module: Checking authenticate {...} for more modules to load
Sat Jul 18 11:05:32 2009 : Debug: Module: Checking authorize {...} for more modules to load
Sat Jul 18 11:05:32 2009 : Debug: (Loaded rlm_preprocess, checking if it's valid)
Sat Jul 18 11:05:32 2009 : Debug: Module: Linked to module rlm_preprocess
Sat Jul 18 11:05:32 2009 : Debug: Module: Instantiating preprocess
Sat Jul 18 11:05:32 2009 : Debug: preprocess {
Sat Jul 18 11:05:32 2009 : Debug: huntgroups = "/usr/local/etc/raddb/huntgroups"
Sat Jul 18 11:05:32 2009 : Debug: hints = "/usr/local/etc/raddb/hints"
Sat Jul 18 11:05:32 2009 : Debug: with_ascend_hack = no
Sat Jul 18 11:05:32 2009 : Debug: ascend_channels_per_line = 23
Sat Jul 18 11:05:32 2009 : Debug: with_ntdomain_hack = no
Sat Jul 18 11:05:32 2009 : Debug: with_specialix_jetstream_hack = no
Sat Jul 18 11:05:32 2009 : Debug: with_cisco_vsa_hack = no
Sat Jul 18 11:05:32 2009 : Debug: with_alvarion_vsa_hack = no
Sat Jul 18 11:05:32 2009 : Debug: }
Sat Jul 18 11:05:32 2009 : Debug: Module: Checking preacct {...} for more modules to load
Sat Jul 18 11:05:32 2009 : Debug: (Loaded rlm_acct_unique, checking if it's valid)
Sat Jul 18 11:05:32 2009 : Debug: Module: Linked to module rlm_acct_unique
Sat Jul 18 11:05:32 2009 : Debug: Module: Instantiating acct_unique
Sat Jul 18 11:05:32 2009 : Debug: acct_unique {
Sat Jul 18 11:05:32 2009 : Debug: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
Sat Jul 18 11:05:32 2009 : Debug: }
Sat Jul 18 11:05:32 2009 : Debug: Module: Checking accounting {...} for more modules to load
Sat Jul 18 11:05:32 2009 : Debug: (Loaded rlm_detail, checking if it's valid)
Sat Jul 18 11:05:32 2009 : Debug: Module: Linked to module rlm_detail
Sat Jul 18 11:05:32 2009 : Debug: Module: Instantiating detail
Sat Jul 18 11:05:32 2009 : Debug: detail {
Sat Jul 18 11:05:32 2009 : Debug: detailfile = "/var/log/radacct/%{Client-IP-Address}/detail-%Y%m%d"
Sat Jul 18 11:05:32 2009 : Debug: header = "%t"
Sat Jul 18 11:05:32 2009 : Debug: detailperm = 384
Sat Jul 18 11:05:32 2009 : Debug: dirperm = 493
Sat Jul 18 11:05:32 2009 : Debug: locking = no
Sat Jul 18 11:05:32 2009 : Debug: log_packet_header = no
Sat Jul 18 11:05:32 2009 : Debug: }
Sat Jul 18 11:05:32 2009 : Debug: Module: Instantiating attr_filter.accounting_response
Sat Jul 18 11:05:32 2009 : Debug: attr_filter attr_filter.accounting_response {
Sat Jul 18 11:05:32 2009 : Debug: attrsfile = "/usr/local/etc/raddb/attrs.accounting_response"
Sat Jul 18 11:05:32 2009 : Debug: key = "%{User-Name}"
Sat Jul 18 11:05:32 2009 : Debug: }
Sat Jul 18 11:05:32 2009 : Debug: Module: Checking session {...} for more modules to load
Sat Jul 18 11:05:32 2009 : Debug: Module: Checking post-proxy {...} for more modules to load
Sat Jul 18 11:05:32 2009 : Debug: Module: Checking post-auth {...} for more modules to load
Sat Jul 18 11:05:32 2009 : Debug: (Loaded rlm_exec, checking if it's valid)
Sat Jul 18 11:05:32 2009 : Debug: Module: Linked to module rlm_exec
Sat Jul 18 11:05:32 2009 : Debug: Module: Instantiating exec
Sat Jul 18 11:05:32 2009 : Debug: exec {
Sat Jul 18 11:05:32 2009 : Debug: wait = no
Sat Jul 18 11:05:32 2009 : Debug: input_pairs = "request"
Sat Jul 18 11:05:32 2009 : Debug: shell_escape = yes
Sat Jul 18 11:05:32 2009 : Debug: }
Sat Jul 18 11:05:32 2009 : Debug: } # modules
Sat Jul 18 11:05:32 2009 : Debug: } # server
Sat Jul 18 11:05:32 2009 : Debug: radiusd: #### Opening IP addresses and Ports ####
Sat Jul 18 11:05:32 2009 : Debug: listen {
Sat Jul 18 11:05:32 2009 : Debug: type = "auth"
Sat Jul 18 11:05:32 2009 : Debug: ipaddr = *
Sat Jul 18 11:05:32 2009 : Debug: port = 1812
Sat Jul 18 11:05:32 2009 : Debug: }
Sat Jul 18 11:05:32 2009 : Debug: listen {
Sat Jul 18 11:05:32 2009 : Debug: type = "acct"
Sat Jul 18 11:05:32 2009 : Debug: ipaddr = *
Sat Jul 18 11:05:32 2009 : Debug: port = 0
Sat Jul 18 11:05:32 2009 : Debug: }
Sat Jul 18 11:05:32 2009 : Debug: listen {
Sat Jul 18 11:05:32 2009 : Debug: type = "control"
Sat Jul 18 11:05:32 2009 : Debug: listen {
Sat Jul 18 11:05:32 2009 : Debug: socket = "/var/run/radiusd/radiusd.sock"
Sat Jul 18 11:05:32 2009 : Debug: }
Sat Jul 18 11:05:32 2009 : Debug: }
Sat Jul 18 11:05:32 2009 : Debug: Listening on authentication address * port 1812
Sat Jul 18 11:05:32 2009 : Debug: Listening on accounting address * port 1813
Sat Jul 18 11:05:32 2009 : Debug: Listening on command file /var/run/radiusd/radiusd.sock
Sat Jul 18 11:05:32 2009 : Debug: Listening on proxy address * port 1814
Sat Jul 18 11:05:32 2009 : Debug: Ready to process requests.
radiud.conf:
# -*- text -*-
##
## radiusd.conf -- FreeRADIUS server configuration file.
##
## http://www.freeradius.org/
## $Id$
########################################################################
#
# Read "man radiusd" before editing this file. See the section
# titled DEBUGGING. It outlines a method where you can quickly
# obtain the configuration you want, without running into
# trouble.
#
# Run the server in debugging mode, and READ the output.
#
# $ radiusd -X
#
# We cannot emphasize this point strongly enough. The vast
# majority of problems can be solved by carefully reading the
# debugging output, which includes warnings about common issues,
# and suggestions for how they may be fixed.
#
# There may be a lot of output, but look carefully for words like:
# "warning", "error", "reject", or "failure". The messages there
# will usually be enough to guide you to a solution.
#
# If you are going to ask a question on the mailing list, then
# explain what you are trying to do, and include the output from
# debugging mode (radiusd -X). Failure to do so means that all
# of the responses to your question will be people telling you
# to "post the output of radiusd -X".######################################################################
#
# The location of other config files and logfiles are declared
# in this file.
#
# Also general configuration for modules can be done in this
# file, it is exported through the API to modules that ask for
# it.
#
# See "man radiusd.conf" for documentation on the format of this
# file. Note that the individual configuration items are NOT
# documented in that "man" page. They are only documented here,
# in the comments.
#
# As of 2.0.0, FreeRADIUS supports a simple processing language
# in the "authorize", "authenticate", "accounting", etc. sections.
# See "man unlang" for details.
#prefix = /usr/local/
exec_prefix = ${prefix}
sysconfdir = ${prefix}/etc
localstatedir = /var
sbindir = ${exec_prefix}/sbin
logdir = /var/log
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct#
# name of the running server. See also the "-n" command-line option.
name = radiusd# Location of config and logfiles.
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/${name}# Should likely be ${localstatedir}/lib/radiusd
db_dir = ${raddbdir}#
# libdir: Where to find the rlm_* modules.
#
# This should be automatically set at configuration time.
#
# If the server builds and installs, but fails at execution time
# with an 'undefined symbol' error, then you can use the libdir
# directive to work around the problem.
#
# The cause is usually that a library has been installed on your
# system in a place where the dynamic linker CANNOT find it. When
# executing as root (or another user), your personal environment MAY
# be set up to allow the dynamic linker to find the library. When
# executing as a daemon, FreeRADIUS MAY NOT have the same
# personalized configuration.
#
# To work around the problem, find out which library contains that symbol,
# and add the directory containing that library to the end of 'libdir',
# with a colon separating the directory names. NO spaces are allowed.
#
# e.g. libdir = /usr/local/lib:/opt/package/lib
#
# You can also try setting the LD_LIBRARY_PATH environment variable
# in a script which starts the server.
#
# If that does not work, then you can re-configure and re-build the
# server to NOT use shared libraries, via:
#
# ./configure --disable-shared
# make
# make install
#
libdir = /usr/local/lib/freeradius-2.1.6# pidfile: Where to place the PID of the RADIUS server.
#
# The server may be signalled while it's running by using this
# file.
#
# This file is written when ONLY running in daemon mode.
#
# e.g.: kill -HUP `cat /var/run/radiusd/radiusd.pid`
#
pidfile = ${run_dir}/${name}.pid# chroot: directory where the server does "chroot".
#
# The chroot is done very early in the process of starting the server.
# After the chroot has been performed it switches to the "user" listed
# below (which MUST be specified). If "group" is specified, it switchs
# to that group, too. Any other groups listed for the specified "user"
# in "/etc/group" are also added as part of this process.
#
# The current working directory (chdir / cd) is left *outside* of the
# chroot until all of the modules have been initialized. This allows
# the "raddb" directory to be left outside of the chroot. Once the
# modules have been initialized, it does a "chdir" to ${logdir}. This
# means that it should be impossible to break out of the chroot.
#
# If you are worried about security issues related to this use of chdir,
# then simply ensure that the "raddb" directory is inside of the chroot,
# end be sure to do "cd raddb" BEFORE starting the server.
#
# If the server is statically linked, then the only files that have
# to exist in the chroot are ${run_dir} and ${logdir}. If you do the
# "cd raddb" as discussed above, then the "raddb" directory has to be
# inside of the chroot directory, too.
#
#chroot = /path/to/chroot/directory# user/group: The name (or #number) of the user/group to run radiusd as.
#
# If these are commented out, the server will run as the user/group
# that started it. In order to change to a different user/group, you
# MUST be root ( or have root privleges ) to start the server.
#
# We STRONGLY recommend that you run the server with as few permissions
# as possible. That is, if you're not using shadow passwords, the
# user and group items below should be set to radius'.
#
# NOTE that some kernels refuse to setgid(group) when the value of
# (unsigned)group is above 60000; don't use group nobody on these systems!
#
# On systems with shadow passwords, you might have to set 'group = shadow'
# for the server to be able to read the shadow password file. If you can
# authenticate users while in debug mode, but not in daemon mode, it may be
# that the debugging mode server is running as a user that can read the
# shadow info, and the user listed below can not.
#
# The server will also try to use "initgroups" to read /etc/groups.
# It will join all groups where "user" is a member. This can allow
# for some finer-grained access controls.
#
user = freeradius
group = freeradius# max_request_time: The maximum time (in seconds) to handle a request.
#
# Requests which take more time than this to process may be killed, and
# a REJECT message is returned.
#
# WARNING: If you notice that requests take a long time to be handled,
# then this MAY INDICATE a bug in the server, in one of the modules
# used to handle a request, OR in your local configuration.
#
# This problem is most often seen when using an SQL database. If it takes
# more than a second or two to receive an answer from the SQL database,
# then it probably means that you haven't indexed the database. See your
# SQL server documentation for more information.
#
# Useful range of values: 5 to 120
#
max_request_time = 30# cleanup_delay: The time to wait (in seconds) before cleaning up
# a reply which was sent to the NAS.
#
# The RADIUS request is normally cached internally for a short period
# of time, after the reply is sent to the NAS. The reply packet may be
# lost in the network, and the NAS will not see it. The NAS will then
# re-send the request, and the server will respond quickly with the
# cached reply.
#
# If this value is set too low, then duplicate requests from the NAS
# MAY NOT be detected, and will instead be handled as seperate requests.
#
# If this value is set too high, then the server will cache too many
# requests, and some new requests may get blocked. (See 'max_requests'.)
#
# Useful range of values: 2 to 10
#
cleanup_delay = 5# max_requests: The maximum number of requests which the server keeps
# track of. This should be 256 multiplied by the number of clients.
# e.g. With 4 clients, this number should be 1024.
#
# If this number is too low, then when the server becomes busy,
# it will not respond to any new requests, until the 'cleanup_delay'
# time has passed, and it has removed the old requests.
#
# If this number is set too high, then the server will use a bit more
# memory for no real benefit.
#
# If you aren't sure what it should be set to, it's better to set it
# too high than too low. Setting it to 1000 per client is probably
# the highest it should be.
#
# Useful range of values: 256 to infinity
#
max_requests = 1024# listen: Make the server listen on a particular IP address, and send
# replies out from that address. This directive is most useful for
# hosts with multiple IP addresses on one interface.
#
# If you want the server to listen on additional addresses, or on
# additionnal ports, you can use multiple "listen" sections.
#
# Each section make the server listen for only one type of packet,
# therefore authentication and accounting have to be configured in
# different sections.
#
# The server ignore all "listen" section if you are using '-i' and '-p'
# on the command line.
#
listen {
# Type of packets to listen for.
# Allowed values are:
# auth listen for authentication packets
# acct listen for accounting packets
# proxy IP to use for sending proxied packets
# detail Read from the detail file. For examples, see
# raddb/sites-available/copy-acct-to-home-server
# status listen for Status-Server packets. For examples,
# see raddb/sites-available/status
#
type = auth# Note: "type = proxy" lets you control the source IP used for
# proxying packets, with some limitations:
#
# * Only ONE proxy listener can be defined.
# * A proxy listener CANNOT be used in a virtual server section.
# * You should probably set "port = 0".
# * Any "clients" configuration will be ignored.# IP address on which to listen.
# Allowed values are:
# dotted quad (1.2.3.4)
# hostname (radius.example.com)
# wildcard (*)
ipaddr = *# OR, you can use an IPv6 address, but not both
# at the same time.
# ipv6addr = :: # any. ::1 == localhost# Port on which to listen.
# Allowed values are:
# integer port number (1812)
# 0 means "use /etc/services for the proper port"
port = 1812# Some systems support binding to an interface, in addition
# to the IP address. This feature isn't strictly necessary,
# but for sites with many IP addresses on one interface,
# it's useful to say "listen on all addresses for eth0".
#
# If your system does not support this feature, you will
# get an error if you try to use it.
#
# interface = eth0# Per-socket lists of clients. This is a very useful feature.
#
# The name here is a reference to a section elsewhere in
# radiusd.conf, or clients.conf. Having the name as
# a reference allows multiple sockets to use the same
# set of clients.
#
# If this configuration is used, then the global list of clients
# is IGNORED for this "listen" section. Take care configuring
# this feature, to ensure you don't accidentally disable a
# client you need.
#
# See clients.conf for the configuration of "per_socket_clients".
#
# clients = per_socket_clients
}# This second "listen" section is for listening on the accounting
# port, too.
#
listen {
ipaddr = *
# ipv6addr = ::
port = 0
type = acct
# interface = eth0
# clients = per_socket_clients
}# hostname_lookups: Log the names of clients or just their IP addresses
# e.g., www.freeradius.org (on) or 206.47.27.232 (off).
#
# The default is 'off' because it would be overall better for the net
# if people had to knowingly turn this feature on, since enabling it
# means that each client request will result in AT LEAST one lookup
# request to the nameserver. Enabling hostname_lookups will also
# mean that your server may stop randomly for 30 seconds from time
# to time, if the DNS requests take too long.
#
# Turning hostname lookups off also means that the server won't block
# for 30 seconds, if it sees an IP address which has no name associated
# with it.
#
# allowed values: {no, yes}
#
hostname_lookups = no# Core dumps are a bad thing. This should only be set to 'yes'
# if you're debugging a problem with the server.
#
# allowed values: {no, yes}
#
allow_core_dumps = no# Regular expressions
#
# These items are set at configure time. If they're set to "yes",
# then setting them to "no" turns off regular expression support.
#
# If they're set to "no" at configure time, then setting them to "yes"
# WILL NOT WORK. It will give you an error.
#
regular_expressions = yes
extended_expressions = yes#
# Logging section. The various "log_*" configuration items
# will eventually be moved here.
#
log {
#
# Destination for log messages. This can be one of:
#
# files - log to "file", as defined below.
# syslog - to syslog (see also the "syslog_facility", below.
# stdout - standard output
# stderr - standard error.
#
# The command-line option "-X" over-rides this option, and forces
# logging to go to stdout.
#
destination = files#
# The logging messages for the server are appended to the
# tail of this file if destination == "files"
#
# If the server is running in debugging mode, this file is
# NOT used.
#
file = ${logdir}/radius.log#
# If this configuration parameter is set, then log messages for
# a *request* go to this file, rather than to radius.log.
#
# i.e. This is a log file per request, once the server has accepted
# the request as being from a valid client. Messages that are
# not associated with a request still go to radius.log.
#
# Not all log messages in the server core have been updated to use
# this new internal API. As a result, some messages will still
# go to radius.log. Please submit patches to fix this behavior.
#
# The file name is expanded dynamically. You should ONLY user
# server-side attributes for the filename (e.g. things you control).
# Using this feature MAY also slow down the server substantially,
# especially if you do thinks like SQL calls as part of the
# expansion of the filename.
#
# The name of the log file should use attributes that don't change
# over the lifetime of a request, such as User-Name,
# Virtual-Server or Packet-Src-IP-Address. Otherwise, the log
# messages will be distributed over multiple files.
#
# Logging can be enabled for an individual request by a special
# dynamic expansion macro: %{debug: 1}, where the debug level
# for this request is set to '1' (or 2, 3, etc.). e.g.
#
# ...
# update control {
# Tmp-String-0 = "%{debug:1}"
# }
# ...
#
# The attribute that the value is assigned to is unimportant,
# and should be a "throw-away" attribute with no side effects.
#
#requests = ${logdir}/radiusd-%{%{Virtual-Server}:-DEFAULT}-%Y%m%d.log#
# Which syslog facility to use, if ${destination} == "syslog"
#
# The exact values permitted here are OS-dependent. You probably
# don't want to change this.
#
syslog_facility = daemon# Log the full User-Name attribute, as it was found in the request.
#
# allowed values: {no, yes}
#
stripped_names = no# Log authentication requests to the log file.
#
# allowed values: {no, yes}
#
auth = no# Log passwords with the authentication requests.
# auth_badpass - logs password if it's rejected
# auth_goodpass - logs password if it's correct
#
# allowed values: {no, yes}
#
auth_badpass = no
auth_goodpass = no
}# The program to execute to do concurrency checks.
checkrad = ${sbindir}/checkrad# SECURITY CONFIGURATION
#
# There may be multiple methods of attacking on the server. This
# section holds the configuration items which minimize the impact
# of those attacks
#
security {
#
# max_attributes: The maximum number of attributes
# permitted in a RADIUS packet. Packets which have MORE
# than this number of attributes in them will be dropped.
#
# If this number is set too low, then no RADIUS packets
# will be accepted.
#
# If this number is set too high, then an attacker may be
# able to send a small number of packets which will cause
# the server to use all available memory on the machine.
#
# Setting this number to 0 means "allow any number of attributes"
max_attributes = 200#
# reject_delay: When sending an Access-Reject, it can be
# delayed for a few seconds. This may help slow down a DoS
# attack. It also helps to slow down people trying to brute-force
# crack a users password.
#
# Setting this number to 0 means "send rejects immediately"
#
# If this number is set higher than 'cleanup_delay', then the
# rejects will be sent at 'cleanup_delay' time, when the request
# is deleted from the internal cache of requests.
#
# Useful ranges: 1 to 5
reject_delay = 1#
# status_server: Whether or not the server will respond
# to Status-Server requests.
#
# When sent a Status-Server message, the server responds with
# an Access-Accept or Accounting-Response packet.
#
# This is mainly useful for administrators who want to "ping"
# the server, without adding test users, or creating fake
# accounting packets.
#
# It's also useful when a NAS marks a RADIUS server "dead".
# The NAS can periodically "ping" the server with a Status-Server
# packet. If the server responds, it must be alive, and the
# NAS can start using it for real requests.
#
# See also raddb/sites-available/status
#
status_server = yes
}# PROXY CONFIGURATION
#
# proxy_requests: Turns proxying of RADIUS requests on or off.
#
# The server has proxying turned on by default. If your system is NOT
# set up to proxy requests to another server, then you can turn proxying
# off here. This will save a small amount of resources on the server.
#
# If you have proxying turned off, and your configuration files say
# to proxy a request, then an error message will be logged.
#
# To disable proxying, change the "yes" to "no", and comment the
# $INCLUDE line.
#
# allowed values: {no, yes}
#
proxy_requests = yes
$INCLUDE proxy.conf
# CLIENTS CONFIGURATION
#
# Client configuration is defined in "clients.conf".
## The 'clients.conf' file contains all of the information from the old
# 'clients' and 'naslist' configuration files. We recommend that you
# do NOT use 'client's or 'naslist', although they are still
# supported.
#
# Anything listed in 'clients.conf' will take precedence over the
# information from the old-style configuration files.
#
$INCLUDE clients.conf
# THREAD POOL CONFIGURATION
#
# The thread pool is a long-lived group of threads which
# take turns (round-robin) handling any incoming requests.
#
# You probably want to have a few spare threads around,
# so that high-load situations can be handled immediately. If you
# don't have any spare threads, then the request handling will
# be delayed while a new thread is created, and added to the pool.
#
# You probably don't want too many spare threads around,
# otherwise they'll be sitting there taking up resources, and
# not doing anything productive.
#
# The numbers given below should be adequate for most situations.
#
thread pool {
# Number of servers to start initially --- should be a reasonable
# ballpark figure.
start_servers = 5# Limit on the total number of servers running.
#
# If this limit is ever reached, clients will be LOCKED OUT, so it
# should NOT BE SET TOO LOW. It is intended mainly as a brake to
# keep a runaway server from taking the system with it as it spirals
# down...
#
# You may find that the server is regularly reaching the
# 'max_servers' number of threads, and that increasing
# 'max_servers' doesn't seem to make much difference.
#
# If this is the case, then the problem is MOST LIKELY that
# your back-end databases are taking too long to respond, and
# are preventing the server from responding in a timely manner.
#
# The solution is NOT do keep increasing the 'max_servers'
# value, but instead to fix the underlying cause of the
# problem: slow database, or 'hostname_lookups=yes'.
#
# For more information, see 'max_request_time', above.
#
max_servers = 32# Server-pool size regulation. Rather than making you guess
# how many servers you need, FreeRADIUS dynamically adapts to
# the load it sees, that is, it tries to maintain enough
# servers to handle the current load, plus a few spare
# servers to handle transient load spikes.
#
# It does this by periodically checking how many servers are
# waiting for a request. If there are fewer than
# min_spare_servers, it creates a new spare. If there are
# more than max_spare_servers, some of the spares die off.
# The default values are probably OK for most sites.
#
min_spare_servers = 3
max_spare_servers = 10# There may be memory leaks or resource allocation problems with
# the server. If so, set this value to 300 or so, so that the
# resources will be cleaned up periodically.
#
# This should only be necessary if there are serious bugs in the
# server which have not yet been fixed.
#
# '0' is a special value meaning 'infinity', or 'the servers never
# exit'
max_requests_per_server = 0
}# MODULE CONFIGURATION
#
# The names and configuration of each module is located in this section.
#
# After the modules are defined here, they may be referred to by name,
# in other sections of this configuration file.
#
modules {
#
# Each module has a configuration as follows:
#
# name [ instance ] {
# config_item = value
# ...
# }
#
# The 'name' is used to load the 'rlm_name' library
# which implements the functionality of the module.
#
# The 'instance' is optional. To have two different instances
# of a module, it first must be referred to by 'name'.
# The different copies of the module are then created by
# inventing two 'instance' names, e.g. 'instance1' and 'instance2'
#
# The instance names can then be used in later configuration
# INSTEAD of the original 'name'. See the 'radutmp' configuration
# for an example.
##
# As of 2.0.5, most of the module configurations are in a
# sub-directory. Files matching the regex /[a-zA-Z0-9_.]+/
# are loaded. The modules are initialized ONLY if they are
# referenced in a processing section, such as authorize,
# authenticate, accounting, pre/post-proxy, etc.
#
$INCLUDE ${confdir}/modules/# Extensible Authentication Protocol
#
# For all EAP related authentications.
# Now in another file, because it is very large.
#
$INCLUDE eap.conf# Include another file that has the SQL-related configuration.
# This is another file only because it tends to be big.
#
$INCLUDE sql.conf#
# This module is an SQL enabled version of the counter module.
#
# Rather than maintaining seperate (GDBM) databases of
# accounting info for each counter, this module uses the data
# stored in the raddacct table by the sql modules. This
# module NEVER does any database INSERTs or UPDATEs. It is
# totally dependent on the SQL module to process Accounting
# packets.
#
# $INCLUDE sql/mysql/counter.conf#
# IP addresses managed in an SQL table.
#
# $INCLUDE sqlippool.conf
}# Instantiation
#
# This section orders the loading of the modules. Modules
# listed here will get loaded BEFORE the later sections like
# authorize, authenticate, etc. get examined.
#
# This section is not strictly needed. When a section like
# authorize refers to a module, it's automatically loaded and
# initialized. However, some modules may not be listed in any
# of the following sections, so they can be listed here.
#
# Also, listing modules here ensures that you have control over
# the order in which they are initalized. If one module needs
# something defined by another module, you can list them in order
# here, and ensure that the configuration will be OK.
#
instantiate {
#
# Allows the execution of external scripts.
# The entire command line (and output) must fit into 253 bytes.
#
# e.g. Framed-Pool = `%{exec:/bin/echo foo}`
# exec#
# The expression module doesn't do authorization,
# authentication, or accounting. It only does dynamic
# translation, of the form:
#
# Session-Timeout = `%{expr:2 + 3}`
#
# So the module needs to be instantiated, but CANNOT be
# listed in any other section. See 'doc/rlm_expr' for
# more information.
#
expr#
# We add the counter module here so that it registers
# the check-name attribute before any module which sets
# it
# daily
expiration
logintime# subsections here can be thought of as "virtual" modules.
#
# e.g. If you have two redundant SQL servers, and you want to
# use them in the authorize and accounting sections, you could
# place a "redundant" block in each section, containing the
# exact same text. Or, you could uncomment the following
# lines, and list "redundant_sql" in the authorize and
# accounting sections.
#
#redundant redundant_sql {
# sql1
# sql2
#}
}######################################################################
#
# Policies that can be applied in multiple places are listed
# globally. That way, they can be defined once, and referred
# to multiple times.
#
######################################################################
$INCLUDE policy.conf######################################################################
#
# Load virtual servers.
#
# This next $INCLUDE line loads files in the directory that
# match the regular expression: /[a-zA-Z0-9_.]+/
#
# It allows you to define new virtual servers simply by placing
# a file into the raddb/sites-enabled/ directory.
#
$INCLUDE sites-enabled/
clients.conf:# -*- text -*-
##
## clients.conf -- client configuration directives
##
## $Id$#######################################################################
#
# Define RADIUS clients (usually a NAS, Access Point, etc.).#
# Defines a RADIUS client.
#
# '127.0.0.1' is another name for 'localhost'. It is enabled by default,
# to allow testing of the server after an initial installation. If you
# are not going to be permitting RADIUS queries from localhost, we suggest
# that you delete, or comment out, this entry.
#
##
# Each client has a "short name" that is used to distinguish it from
# other clients.
#
# In version 1.x, the string after the word "client" was the IP
# address of the client. In 2.0, the IP address is configured via
# the "ipaddr" or "ipv6addr" fields. For compatibility, the 1.x
# format is still accepted.
#
client localhost {
# Allowed values are:
# dotted quad (1.2.3.4)
# hostname (radius.example.com)
ipaddr = 127.0.0.1# OR, you can use an IPv6 address, but not both
# at the same time.
# ipv6addr = :: # any. ::1 == localhost#
# A note on DNS: We STRONGLY recommend using IP addresses
# rather than host names. Using host names means that the
# server will do DNS lookups when it starts, making it
# dependent on DNS. i.e. If anything goes wrong with DNS,
# the server won't start!
#
# The server also looks up the IP address from DNS once, and
# only once, when it starts. If the DNS record is later
# updated, the server WILL NOT see that update.
## One client definition can be applied to an entire network.
# e.g. 127/8 should be defined with "ipaddr = 127.0.0.0" and
# "netmask = 8"
#
# If not specified, the default netmask is 32 (i.e. /32)
#
# We do NOT recommend using anything other than 32. There
# are usually other, better ways to acheive the same goal.
# Using netmasks of other than 32 can cause security issues.
#
# You can specify overlapping networks (127/8 and 127.0/16)
# In that case, the smallest possible network will be used
# as the "best match" for the client.
#
# Clients can also be defined dynamically at run time, based
# on any criteria. e.g. SQL lookups, keying off of NAS-Identifier,
# etc.
# See raddb/sites-available/dynamic-clients for details.
## netmask = 32
#
# The shared secret use to "encrypt" and "sign" packets between
# the NAS and FreeRADIUS. You MUST change this secret from the
# default, otherwise it's not a secret any more!
#
# The secret can be any string, up to 8k characters in length.
#
# Control codes can be entered vi octal encoding,
# e.g. "\101\102" == "AB"
# Quotation marks can be entered by escaping them,
# e.g. "foo\"bar"
#
# A note on security: The security of the RADIUS protocol
# depends COMPLETELY on this secret! We recommend using a
# shared secret that is composed of:
#
# upper case letters
# lower case letters
# numbers
#
# And is at LEAST 8 characters long, preferably 16 characters in
# length. The secret MUST be random, and should not be words,
# phrase, or anything else that is recognizable.
#
# The default secret below is only for testing, and should
# not be used in any real environment.
#
secret = test#
# Old-style clients do not send a Message-Authenticator
# in an Access-Request. RFC 5080 suggests that all clients
# SHOULD include it in an Access-Request. The configuration
# item below allows the server to require it. If a client
# is required to include a Message-Authenticator and it does
# not, then the packet will be silently discarded.
#
# allowed values: yes, no
require_message_authenticator = no#
# The short name is used as an alias for the fully qualified
# domain name, or the IP address.
#
# It is accepted for compatibility with 1.x, but it is no
# longer necessary in 2.0
#
# shortname = localhost#
# the following three fields are optional, but may be used by
# checkrad.pl for simultaneous use checks
##
# The nastype tells 'checkrad.pl' which NAS-specific method to
# use to query the NAS for simultaneous use.
#
# Permitted NAS types are:
#
# cisco
# computone
# livingston
# max40xx
# multitech
# netserver
# pathras
# patton
# portslave
# tc
# usrhiper
# other # for all other types#
nastype = other # localhost isn't usually a NAS...#
# The following two configurations are for future use.
# The 'naspasswd' file is currently used to store the NAS
# login name and password, which is used by checkrad.pl
# when querying the NAS for simultaneous use.
#
# login = !root
# password = someadminpas#
# As of 2.0, clients can also be tied to a virtual server.
# This is done by setting the "virtual_server" configuration
# item, as in the example below.
#
# virtual_server = home1
}
sql.conf:# -*- text -*-
##
## sql.conf -- SQL modules
##
## $Id$######################################################################
#
# Configuration for the SQL module
#
# The database schemas and queries are located in subdirectories:
#
# sql/DB/schema.sql Schema
# sql/DB/dialup.conf Basic dialup (including policy) queries
# sql/DB/counter.conf counter
# sql/DB/ippool.conf IP Pools in SQL
# sql/DB/ippool.sql schema for IP pools.
#
# Where "DB" is mysql, mssql, oracle, or postgresql.
#sql {
#
# Set the database to one of:
#
# mysql, mssql, oracle, postgresql
#
database = "postgresql"#
# Which FreeRADIUS driver to use.
#
driver = "rlm_sql_${database}"# Connection info:
server = "localhost"
port = 5432
login = "raduser"
password = ""# Database table configuration for everything except Oracle
radius_db = "raddatab"
# If you are using Oracle then use this instead
# radius_db = "(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=localhost)(PORT=1521))(CONNECT_DATA=(SID=your_sid)))"# If you want both stop and start records logged to the
# same SQL table, leave this as is. If you want them in
# different tables, put the start table in acct_table1
# and stop table in acct_table2
acct_table1 = "radacct"
acct_table2 = "radacct"# Allow for storing data after authentication
postauth_table = "radpostauth"authcheck_table = "radcheck"
authreply_table = "radreply"groupcheck_table = "radgroupcheck"
groupreply_table = "radgroupreply"# Table to keep group info
usergroup_table = "radusergroup"# If set to 'yes' (default) we read the group tables
# If set to 'no' the user MUST have Fall-Through = Yes in the radreply table
# read_groups = yes# Remove stale session if checkrad does not see a double login
deletestalesessions = yes# Print all SQL statements when in debug mode (-x)
sqltrace = no
sqltracefile = ${logdir}/sqltrace.sql# number of sql connections to make to server
num_sql_socks = 5# number of seconds to dely retrying on a failed database
# connection (per_socket)
connect_failure_retry_delay = 60# lifetime of an SQL socket. If you are having network issues
# such as TCP sessions expiring, you may need to set the socket
# lifetime. If set to non-zero, any open connections will be
# closed "lifetime" seconds after they were first opened.
lifetime = 0# Maximum number of queries used by an SQL socket. If you are
# having issues with SQL sockets lasting "too long", you can
# limit the number of queries performed over one socket. After
# "max_qeuries", the socket will be closed. Use 0 for "no limit".
max_queries = 0# Set to 'yes' to read radius clients from the database ('nas' table)
# Clients will ONLY be read on server startup. For performance
# and security reasons, finding clients via SQL queries CANNOT
# be done "live" while the server is running.
#
#readclients = yes# Table to keep radius client info
nas_table = "nas"# Read driver-specific configuration
$INCLUDE sql/${database}/dialup.conf
}
Научись команде "grep -v".
Читать портянки комментариев в конфиг файлах мало кому интересно.
ок, переделаю)
clients.conf:client localhost {
ipaddr = 127.0.0.1
secret = test
require_message_authenticator = no
nastype = other # localhost isn't usually a NAS...
}
radius.conf:
prefix = /usr/local/
exec_prefix = ${prefix}
sysconfdir = ${prefix}/etc
localstatedir = /var
sbindir = ${exec_prefix}/sbin
logdir = /var/log
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct
name = radiusdconfdir = ${raddbdir}
run_dir = ${localstatedir}/run/${name}db_dir = ${raddbdir}
libdir = /usr/local/lib/freeradius-2.1.6
pidfile = ${run_dir}/${name}.pid
user = freeradius
group = freeradius
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
listen {
type = auth
ipaddr = *
port = 1812
}listen {
ipaddr = *
port = 0
type = acct
}hostname_lookups = no
allow_core_dumps = noregular_expressions = yes
extended_expressions = yes
log {
destination = files
file = ${logdir}/radius.log
syslog_facility = daemon
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
}checkrad = ${sbindir}/checkrad
security {
max_attributes = 200
status_server = yes
}proxy_requests = yes
$INCLUDE proxy.conf$INCLUDE clients.conf
thread pool {
start_servers = 5
max_servers = 32
min_spare_servers = 3
max_spare_servers = 10
max_requests_per_server = 0
}
modules {
$INCLUDE ${confdir}/modules/
$INCLUDE eap.conf
$INCLUDE sql.conf}
instantiate {
exprexpiration
logintime}
$INCLUDE policy.conf
$INCLUDE sites-enabled/
Разобрался сам... Оказалось, надо править ещё один конфигурационник ./raddb/sites-aviable/default, настроить на использование sql.